redis-py ssl_ca_path supported by sync client but not by

The Fix

Adds support for the ssl_ca_path parameter to the async Redis client, enabling it to specify a directory of CA certificates, matching the functionality of the sync client.

Based on closed redis/redis-py issue #3414 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit

@@ -243,6 +243,7 @@ def __init__(
         ssl_ca_certs: Optional[str] = None,
         ssl_ca_data: Optional[str] = None,
+        ssl_ca_path: Optional[str] = None,
         ssl_check_hostname: bool = True,
         ssl_min_version: Optional[TLSVersion] = None,

repro.py

from redis.asyncio import RedisCluster
        from redis.asyncio.cluster import ClusterNode
        pool = RedisCluster(
        startup_nodes=cluster_hosts,
        password=*redis_password*,
        ssl=True,
        ssl_ca_certs=* ssl_ca_path*,
        decode_responses=True,
    )

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

fix.md

Option A — Apply the official fix\nAdds support for the ssl_ca_path parameter to the async Redis client, enabling it to specify a directory of CA certificates, matching the functionality of the sync client.\nWhen NOT to use: This fix should not be used if the application relies on the previous behavior of the async client.\n\n

Why This Fix Works in Production

Trigger: ssl_ca_path supported by sync client but not by async client
Mechanism: The async Redis client did not support the ssl_ca_path argument for CA certificates

Production impact:

If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

The async Redis client did not support the ssl_ca_path argument for CA certificates
Production symptom (often without a traceback): ssl_ca_path supported by sync client but not by async client

Proof / Evidence

GitHub issue: #3414
Fix PR: https://github.com/redis/redis-py/pull/3879
Reproduced locally: No (not executed)
Last verified: 2026-02-11
Confidence: 0.70
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.71

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“I solved this problem by using : 1)cluster 2)pool”

@Gerioso · 2024-10-16 · source

“> I solved this problem by using... The ssl_ca_certs argument is passed into the cafile argument in context.load_verify_locations(cafile=self.ca_certs, cadata=self.ca_data) which expects a single file, not…”

@tyler-8 · 2024-10-17 · source

“This issue has been automatically marked as stale due to inactivity. It will be closed in 30 days if no further activity occurs. If you…”

@github-actions · 2025-10-18 · source

Failure Signature (Search String)

ssl_ca_path supported by sync client but not by async client
ssl_ca_certs=* ssl_ca_path*,

Copy-friendly signature

signature.txt

Failure Signature
-----------------
ssl_ca_path supported by sync client but not by async client
ssl_ca_certs=* ssl_ca_path*,

Error Message

Signature-only (no traceback captured)

error.txt

Error Message
-------------
ssl_ca_path supported by sync client but not by async client
ssl_ca_certs=* ssl_ca_path*,

Minimal Reproduction

repro.py

from redis.asyncio import RedisCluster
        from redis.asyncio.cluster import ClusterNode
        pool = RedisCluster(
        startup_nodes=cluster_hosts,
        password=*redis_password*,
        ssl=True,
        ssl_ca_certs=* ssl_ca_path*,
        decode_responses=True,
    )

What Broke

Users experienced SSL connection issues due to missing CA certificate support in the async client.

Why It Broke

The async Redis client did not support the ssl_ca_path argument for CA certificates

Fix Options (Details)

Option A — Apply the official fix

Adds support for the ssl_ca_path parameter to the async Redis client, enabling it to specify a directory of CA certificates, matching the functionality of the sync client.

When NOT to use: This fix should not be used if the application relies on the previous behavior of the async client.

Fix reference: https://github.com/redis/redis-py/pull/3879

Last verified: 2026-02-11. Validate in your environment.

When NOT to Use This Fix

This fix should not be used if the application relies on the previous behavior of the async client.

Verify Fix

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
Add a long-running test that repeats the failing call path and asserts stable memory.

Related Issues

No related fixes found.

Cluster: redis-py:configuration-error redis-py hub redis-py best practices All hubs All clusters

Related clusters: Retry storm Data consistency Race condition

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

redis-py ssl_ca_path supported by sync client but not by async client (Fix)